Skip to content

Central Administration (CA)

Cesivi's Central Administration is a real site collection anchored at an explicit managed path. It is the coherent home for the farm admin pages (/_admin/*.aspx — Authentication Providers, Web Applications, Site Collections, Timer Jobs, Farm Health, etc.) rather than a loose set of admin endpoints.

CA is opt-in. With no Cesivi:CentralAdministration configuration the feature is disabled and existing single-Web-Application deploys are byte-identical (no CA site collection, no extra routes).

Terminology. "Web Application" (WA) is the real-SharePoint farm object: a set of host bindings + auth + content databases. Cesivi seeds a single Default WA out of the box. See _docs/MULTI_SERVER_DEPLOYMENT.md and the masterplan _project/areas/multi-webapp/DESIGN.md for the wider multi-WA model.


Two deployment modes

The operator picks at deploy time which WA owns CA and at which managed path it lives.

Mode CA lives at Reached via Use when
A — CA at a managed path on an existing WA e.g. /admin of the Default WA https://sp.contoso.com/admin/_layouts/15/<page>.aspx Simplest. One process, one listener, one auth cookie scope. Most installs.
B — CA on a dedicated WA the root (/) of a CA-only WA https://ca.contoso.com/_layouts/15/<page>.aspx Hardened. CA is isolated on its own hostname (and optionally its own port + cert via PLAN-1771).

In both modes CA is always at an explicit managed path — never a wildcard, never inferred from a URL pattern. The [Authorize(Policy="CentralAdmin")] gate (role FarmAdmin) is unchanged in either mode: non-admin users get 403.


Configuration

CA is driven by one config section, Cesivi:CentralAdministration, that both processes bind:

  • Cesivi.Server seeds the CA site collection (CentralAdministrationSeeder, PLAN-1775 Phase 1).
  • Cesivi.WebUI routes the admin pages under the CA managed path (CentralAdministrationRouteMiddleware, PLAN-1775 Phase 2) and host-gates them against the resolved WA (PLAN-1775 Phase 2b/2c).

Set the SAME section in both appsettings.json files.

// Cesivi:CentralAdministration
{
  "Cesivi": {
    "CentralAdministration": {
      "Enabled": true,          // opt-in; false (default) => CA disabled, byte-identical
      "WebApplication": "Default", // the WA that OWNS the CA site collection
      "ManagedPath": "/admin"   // Mode A: explicit non-root path; Mode B: "/"
    }
  }
}
Field Meaning
Enabled Master switch. false (default) → no CA site collection, no routes, no host gating.
WebApplication Name of the WA that owns CA. Mode A: usually Default. Mode B: the dedicated CA WA (e.g. CentralAdmin).
ManagedPath Mode A: an explicit path like /admin. Mode B: / (CA is the WA root).

Mode A example

{ "Cesivi": { "CentralAdministration": {
  "Enabled": true, "WebApplication": "Default", "ManagedPath": "/admin" } } }

Browse to https://sp.contoso.com/admin/_layouts/15/authproviders.aspx → the existing Authentication Providers admin page renders under the CA managed path, signed in as a FarmAdmin. The canonical https://sp.contoso.com/_admin/authproviders.aspx URL keeps working unchanged.

Mode B example

Mode B needs a dedicated CA WA with its own host binding. Seed it in Cesivi:Farm:WebApplications (both processes), then point CA at it:

{
  "Cesivi": {
    "Farm": {
      // Hardened multi-WA deploy: bind the Default WA to its own host (no wildcard) and 404 unmapped hosts,
      // so CA's hostname only reaches CA.
      "UnmappedHostBehavior": "NotFound",
      "WebApplications": [
        { "Name": "Default",      "HostBindings": [ { "Host": "sp.contoso.com" } ] },
        { "Name": "CentralAdmin", "HostBindings": [ { "Host": "ca.contoso.com" } ],
          "AnonymousAccess": "NeverAllowed" }
      ]
    },
    "CentralAdministration": {
      "Enabled": true, "WebApplication": "CentralAdmin", "ManagedPath": "/"
    }
  }
}

Browse to https://ca.contoso.com/_layouts/15/authproviders.aspx → the same admin page renders.


Cross-mode isolation (how the admin URLs are NOT leaked)

The WebUI resolves the request host → WA name (WebUiWebApplicationResolutionMiddleware, mirroring the server's WebApplicationResolutionMiddleware) and the CA route middleware only rewrites when the request landed on CA's owning WA:

  • Mode A, request on a host that resolves to a different WA → the admin URL is not rewritten (downstream 404). If the Default WA has no wildcard binding and UnmappedHostBehavior=NotFound, an unknown host such as ca.contoso.com 404s at the resolution middleware.
  • Mode B, the bare /_layouts/15/<page>.aspx rewrite is restricted to known admin pages and fires only on the CA WA's host — a content WA's own layouts pages are never hijacked, and the same path on the Default WA's host 404s.

This is the Mode A↔Mode B cross-mode confusion gate (unit-proven by CentralAdministrationRouteMiddlewareTests / WebUiWebApplicationResolverTests).

Why both processes need the config

The admin Razor pages run in the WebUI process; the CA site-collection seeder and the canonical host→WA resolution run in Cesivi.Server. The WebUI therefore mirrors Cesivi:Farm:WebApplications to resolve the request's WA itself. Keep the Cesivi:CentralAdministration and Cesivi:Farm:WebApplications sections identical in both appsettings.json files.


What does NOT move

/_admin/* and /_farm/* REST/JSON probe endpoints stay at their well-known paths — they are tooling endpoints, not user-navigable admin pages. Only the Razor admin pages are reachable under the CA managed path; the JSON probes are unchanged so operators and scripts keep predictable URLs.


Migrating between Mode A and Mode B

Changing WebApplication / ManagedPath is a scheduled-downtime operation: stop the farm, edit the config in both processes (and the Cesivi:Farm:WebApplications host bindings for Mode B), restart. The CA seeder is idempotent, so re-seeding at the new location is safe.


  • _project/plans/PLAN-1775-MultiWA-CentralAdministration.md — the implementation plan.
  • _project/areas/multi-webapp/DESIGN.md — the multi-WA / HNSC / Content-DB design.
  • _docs/MULTI_SERVER_DEPLOYMENT.md — farm / cluster deployment.